#terragrunt (2020-12)

terragrunt

Terragrunt discussions

Archive: https://archive.sweetops.com/terragrunt/

2020-12-02

Andrea avatar

Hi, do you know if there is a way to specify which AWS credentials to use in kubergrunt please?

Andrea avatar

for example

kubergrunt eks deploy --region eu-west-1 --asg-name k8s_workers_windows --kubectl-context-name k8s-test

only works when targeting my default AWS account

Andrea avatar

to make the command work with any other account, I need to export the AWS access and secret keys like so:

export AWS_ACCESS_KEY_ID=
export AWS_SECRET_ACCESS_KEY=
pjaudiomv avatar
pjaudiomv

You can probably use the AWS_PROFILE env var

2020-12-03

Andrea avatar

yep, that worked. thanks!

Andrea avatar

not sure how easy/hard it would be to add the AWS profile to kubergrunt but that it would be a nice to have…

Andrea avatar

thanks @pjaudiomv!

2020-12-07

David avatar

Is there a way to do good old terraform in a terragrunt.hcl file?

David avatar

I would like to construct iam policy documents using data calls and then passing them in the inputs = { }

1
David avatar
cloudposse/terraform-aws-iam-role

A Terraform module that creates IAM role with provided JSON IAM polices documents. - cloudposse/terraform-aws-iam-role

David avatar

I haven’t tested it, but you might be able to do it by: • Adding a generate block in terragrunt to write out a data source into your terraform module • Putting an [override.tf](http://override.tf) file next to your terragrunt.hcl file where you override the policy field of the role to point to your generated data source Override files docs: https://www.terraform.io/docs/configuration/override.html

Personally, I just use jsonencode and create the IAM Policy in terragrunt

Override Files - Configuration Language - Terraform by HashiCorp

Override files allow additional settings to be merged into existing configuration objects.

David avatar

jsonencode is really nice because you can use terragrunt vars / dependency outputs the same way you’d use with iam_policy data sources

David avatar

Can you paste an example of using jsonencode?

David avatar

I am guessing what you mean is you’re using a module written in terraform that uses jsonecode to generate IAM policy documents using the output of dependency blocks in terragrunt

David avatar
include {
  path = find_in_parent_folders("terragrunt-config-dev.hcl")
}

terraform {
  source = "git::[email protected]:terraform-aws-modules/terraform-aws-iam//modules/iam-policy?ref=v3.4.0"
}

dependency datadog_param {
  config_path = "${get_parent_terragrunt_dir()}/foo/bar/datadog_ssm_param"
}

dependency ssh_key_param {
  config_path = "${get_parent_terragrunt_dir()}/foo/baz/ssh_key_param"
}

inputs = {
  name        = "FooBarPolicy"
  description = "demo policy"
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "AllowFetchingSecrets"
        Effect = "Allow"
        Action = [
          "ssm:GetParameter",
          "ssm:GetParameters",
          "secretsmanager:GetSecretValue"
        ]
        Resource = [
          dependency.datadog_param.outputs.arn,
          dependency.ssh_key_param.outputs.arn,
        ]
      },
      {
        Sid      = "AllowReadingKms",
        Effect   = "Allow",
        Action   = "kms:*",
        Resource = "*",
      }
    ]
  })
}

Nah, I create the policy entirely in terragrunt

David avatar

hm

David avatar

What does datadog_param do?

David avatar

Is it just a data-call module?

David avatar

It’s just another module. In this case, it creates an SSM SecureString parameter. Then this policy module says to create an IAM Policy that has permissions to read/decrypt that SSM Parameter’s value

David avatar

Do you store the value of the DD api key in SSM using terraform?

David avatar

My policy also needs access to a DD key lol

1
David avatar

I am just curious to know how you’re doing it

David avatar

yeah I do. We use Vault as our source of truth for secrets, and then have a really basic module that copies a Vault Secret -> SSM for when using SSM is easier than Vault for some service

David avatar

We also have a Lambda function that copies keys in bulk from Vault -> SSM, and then in our policies we use a prefix + wildcard for the output of that lambda run

2020-12-10

Mr.Devops avatar
Mr.Devops

Needing help with setting terragrunt to use aws assume role

Joe Niland avatar
Joe Niland

I use it with awscli and aws-vault

Joe Niland avatar
Joe Niland

I could try to write a gist

Mr.Devops avatar
Mr.Devops

That would be nice example to reference if you don’t mind

Mr.Devops avatar
Mr.Devops

Thx Joe

Joe Niland avatar
Joe Niland

not sure if that’s what you’re after

Joe Niland avatar
Joe Niland

I am just using the standard generate “provider” block from terragrunt docs

Mr.Devops avatar
Mr.Devops

AWSOME thx Joe

1
Mr.Devops avatar
Mr.Devops

I’m having a hard time understanding how to setup assume role

David avatar

Hello! Have you seen https://terragrunt.gruntwork.io/docs/features/work-with-multiple-aws-accounts/? If so, do you have any questions that I could expand on?

Work with multiple AWS accounts

Learn how the Terragrunt may help you to work with mulitple AWS accounts.

Mr.Devops avatar
Mr.Devops

Thx @David I’ve read it but still a bit lost

David avatar

that makes sense, I remember it took me a while to get it working the first time. What do you have so far? Do you already have a set of IAM Roles you are trying to use?

David avatar

And are you trying to get this to work locally, or on a CI system, or both?

Mr.Devops avatar
Mr.Devops

atm i created an iam user using it’s access key/id whereas i’m calling the keys from ~/.aws/credentials file, but in my code i’m calling it via profile name

remote_state {
  backend = "s3"
  generate = {
    path      = "backend.tf"
    if_exists = "overwrite_terragrunt"
  }
  config = {
    bucket         = "non-production-xxx"
    key            = "${path_relative_to_include()}/terraform.tfstate"
    region         = "us-west-2"
    profile        = "non-prod"
    encrypt        = true
    dynamodb_table = "my-lock-table"
  }
}
Mr.Devops avatar
Mr.Devops

i am planning to setup Atlantis with this as well

David avatar

Nice! With Terragrunt, that looks like a good setup for assuming a particular profile for looking-up/updating the tfstate, but you’ll also need to assume a role using the provider block in your terraform code so that the resources you update are created using that same profile

Mr.Devops avatar
Mr.Devops

yeah that’s the confusing part which i need help with. I never understand how to use assume roles with terraform/terragrunt

Mr.Devops avatar
Mr.Devops

Another question which i do have is when using the remote_state backend within terragrunt.hcl. Does that need to be included into the source repo of terraform code? or just the root dir of my module?

Mr.Devops avatar
Mr.Devops

e.g here’s my main module i will use for all env which in terragrunt.hcl it has a terraform block to call the source of my terraform module in github

Mr.Devops avatar
Mr.Devops
11:19:20 PM
Mr.Devops avatar
Mr.Devops
include {
  path = find_in_parent_folders()
}

terraform {
  source = "[email protected]:PTATH81/terraform-aws-ec2.git//app?ref=v0.0.1"

  extra_arguments "common_vars" {
    commands = get_terraform_commands_that_need_vars()

    arguments = [
      "-var-file=non-prod.tfvars"
    ]
  }
}
David avatar

Gotcha! There are likely better ways of doing this nowadays after the go aws-sdk fixed up some bugs a few months ago, but my setup that works both locally and on atlantis is:

Have a single .tf file that I inject into all modules with a generate block in the parent terragrunt files that contains:

provider "aws" {
  profile = var.profile
  region  = var.region

  assume_role {
    role_arn     = var.role_to_assume
    session_name = "terraform"
  }

  allowed_account_ids = var.allowed_account_ids
}

Then in a separate parent terragrunt file for each environment, I add an input:

role_to_assume      = get_env("DEV_IAM_ROLE", "arn:aws:iam::1234567890:role/Sandbox-Admin")

where identity is the aws-profile for the primary IAM user locally, and that role is the role that will give the local user permissions to do stuff in a given env.

Then on Atlantis, I add the envs from terraform like:

envs = {
    ...
    DEV_IAM_ROLE       = dependency.dev_role.outputs.external_role_arn
    STAGING_IAM_ROLE   = dependency.staging_role.outputs.external_role_arn
    PROD_IAM_ROLE      = dependency.prod_role.outputs.external_role_arn
    COMMONS_IAM_ROLE   = dependency.commons_role.outputs.external_role_arn
    ATLANTIS_IAM_ROLE  = dependency.atlantis_role.outputs.external_role_arn
    ...
  }

It works pretty well

David avatar

tfstate stuff should only go in your parent terragrunt config, so long as you use a generate field definition inside the remote_state block of your parent terragrunt config file

Mr.Devops avatar
Mr.Devops

this is great to see how others are using this. I now have a greater understanding. Atm my .hcl in the root/parent tree is using

remote_state {
  backend = "s3"
  generate = {
    path      = "backend.tf"
    if_exists = "overwrite_terragrunt"
  }
  config = {
    bucket         = "production-tfstate"
    key            = "${path_relative_to_include()}/terraform.tfstate"
    region         = "us-west-2"
    profile        = "non-prod"
    encrypt        = true
    dynamodb_table = "my-lock-table"
  }
}
Mr.Devops avatar
Mr.Devops

i plan to use variables in the config

Mr.Devops avatar
Mr.Devops

thx @David !

David avatar

you are very welcome

Mr.Devops avatar
Mr.Devops

Hi David me again. I ran into an issue

Mr.Devops avatar
Mr.Devops

i’m following the file structure as

├── qa
│   ├── app
│   │   └── terragrunt.hcl
│   ├── mysql
│   │   └── terragrunt.hcl
│   └── vpc
│       └── terragrunt.hcl

and when i ran a plan or apply i get the error Did not find any Terraform files (*.tf) in .terragrunt-cache although there is many .tf files in my git module

David avatar

Interesting, what directory are you running your terragrunt commands in?

It might be worthwhile to run a quick find . -type d -name ".terragrunt-cache" -prune -exec rm -rf {} \; from the root of your repo to clear out all the caches and make sure it isn’t just an issue with a corrupted cache

Mr.Devops avatar
Mr.Devops
01:49:48 AM

i’m running it in my app dir

Mr.Devops avatar
Mr.Devops
01:52:17 AM

after updating my source github url from [email protected]:PTATH81/terraform-aws-ec2.git//app?ref=v0.0.2 to [email protected]:PTATH81/terraform-aws-ec2.git the error went away but now i get

Mr.Devops avatar
Mr.Devops

strange..

David avatar

I can’t find much about that online unfortunately. What versions of terraform and terragrunt are you using?

Can you try clearing the cache and then running a TF_LOG=trace terragrunt init and seeing if the extra logs have any helpful hints?

Mr.Devops avatar
Mr.Devops

terragrunt version v0.23.40

Mr.Devops avatar
Mr.Devops

Terraform v0.14.2

Mr.Devops avatar
Mr.Devops

let me clear cache

Mr.Devops avatar
Mr.Devops

i also enabled TRACE for TF_LOG

Mr.Devops avatar
Mr.Devops

here’s what i’m seeing

-----------------------------------------------------
2020/12/10 18:14:20 [DEBUG] [aws-sdk-go] {}
2020/12/10 18:14:20 [WARN] failed to fetch state md5: invalid md5
2020/12/10 18:14:20 [DEBUG] Service discovery for registry.terraform.io at <https://registry.terraform.io/.well-known/terraform.json>
2020/12/10 18:14:20 [TRACE] HTTP client GET request to <https://registry.terraform.io/.well-known/terraform.json>

Initializing provider plugins...
- Finding latest version of hashicorp/aws...
2020/12/10 18:14:20 [DEBUG] GET <https://registry.terraform.io/v1/providers/hashicorp/aws/versions>
2020/12/10 18:14:20 [TRACE] HTTP client GET request to <https://registry.terraform.io/v1/providers/hashicorp/aws/versions>
2020/12/10 18:14:20 [DEBUG] GET <https://registry.terraform.io/v1/providers/hashicorp/aws/3.20.0/download/windows/amd64>
2020/12/10 18:14:20 [TRACE] HTTP client GET request to <https://registry.terraform.io/v1/providers/hashicorp/aws/3.20.0/download/windows/amd64>
2020/12/10 18:14:20 [DEBUG] GET <https://releases.hashicorp.com/terraform-provider-aws/3.20.0/terraform-provider-aws_3.20.0_SHA256SUMS>
2020/12/10 18:14:20 [TRACE] HTTP client GET request to <https://releases.hashicorp.com/terraform-provider-aws/3.20.0/terraform-provider-aws_3.20.0_SHA256SUMS>
2020/12/10 18:14:20 [DEBUG] GET <https://releases.hashicorp.com/terraform-provider-aws/3.20.0/terraform-provider-aws_3.20.0_SHA256SUMS.sig>
2020/12/10 18:14:20 [TRACE] HTTP client GET request to <https://releases.hashicorp.com/terraform-provider-aws/3.20.0/terraform-provider-aws_3.20.0_SHA256SUMS.sig>
- Installing hashicorp/aws v3.20.0...
2020/12/10 18:14:20 [TRACE] providercache.Dir.InstallPackage: installing registry.terraform.io/hashicorp/aws v3.20.0 from <https://releases.hashicorp.com/terraform-provider-aws/3.20.0/terraform-provider-aws_3.20.0_windows_amd64.zip>
2020/12/10 18:14:20 [TRACE] HTTP client GET request to <https://releases.hashicorp.com/terraform-provider-aws/3.20.0/terraform-provider-aws_3.20.0_windows_amd64.zip>
2020/12/10 18:14:21 [DEBUG] Provider signed by 51852D87348FFC4C HashiCorp Security <[email protected]>

Error: Failed to install provider

Error while installing hashicorp/aws v3.20.0: open
.terraform\providers\registry.terraform.io\hashicorp\aws.20.0\windows_amd64\terraform-provider-aws_v3.20.0_x5.exe:
The system cannot find the path specified.

[terragrunt] 2020/12/10 18:14:21 Hit multiple errors:
exit status 1
loren avatar

terragrunt does not, technically, yet support tf 0.14, so you may be layering one problem on another…

Mr.Devops avatar
Mr.Devops

ah

Mr.Devops avatar
Mr.Devops

let me rollback the ver i have

Mr.Devops avatar
Mr.Devops

thx @loren

Mr.Devops avatar
Mr.Devops

what ver do you recommend ?

Mr.Devops avatar
Mr.Devops

v0.13.5 ok?

loren avatar

if you check their github issues, they are tracking it. it’s just a bit too new still for them to claim support. the issues indicate some folks have gotten it to work, but with caveats. i haven’t tried yet myself, so am unsure of exactly what caveats

loren avatar

yeah, i use terragrunt with tf 0.13.5 regularly

David avatar

and if nothing else, terragrunt 0.25.0 was the first to even support terraform 0.13.x.

FWIW, I use v0.25.4 with terraform 0.14.1 with no issues, and run it against ~600 modules

Mr.Devops avatar
Mr.Devops

sweet you guys are awsome

Mr.Devops avatar
Mr.Devops

i will let you know how it goes

Mr.Devops avatar
Mr.Devops

i still ran into the issue, but did notice @loren comment on this from https://github.com/gruntwork-io/terragrunt/issues/581

(updating the env TERRAGRUNT_DOWNLOAD path which does do away with the error. But once removed again the error is the same. @David what system are you running terragrunt on? I’m on windows.

Issues while running tests on Windows · Issue #581 · gruntwork-io/terragrunt

This issue is to keep track of the errors encountered while running tests on Windows Filename too long — FAIL: TestLocalWithRelativeExtraArgsWindows (2.42s) integration_test.go Failed to ru…

Mr.Devops avatar
Mr.Devops

cutting down the dir structure helped for now.

loren avatar

oh you’re on windows. yes, it is just about mandatory to set TERRAGRUNT_DOWNLOAD. it’s not bullet proof but helps a lot

loren avatar

an even better option is to use WSL and avoid the path issue entirely

David avatar


what system are you running terragrunt on?
Locally, I’m on a mac, and our Atlantis runs on AmazonLinux2. My only windows experience is some testing on the https://github.com/transcend-io/terragrunt-atlantis-config library I maintain, but I’m not super experienced with it.

transcend-io/terragrunt-atlantis-config

Generate Atlantis config for Terragrunt projects. Contribute to transcend-io/terragrunt-atlantis-config development by creating an account on GitHub.

Mr.Devops avatar
Mr.Devops

Unfortunately Yes windows as we use aws workspaces and I’m afraid it doesn’t support wsl

loren avatar

use session manager to connect to a linux dev box or try cloud9…

loren avatar

or use vs code with the remote ssh plugin…

Mr.Devops avatar
Mr.Devops

thx for the tip @loren

Mr.Devops avatar
Mr.Devops

hi Guys sorry to bother again. What is the preferred location to store your backend terragrunt.hcl file? Should i include that in the root dir of my terraform module (this is located in it’s own separate git repo)? Or should I include it in my environment module (this is also in it’s own separate git repo)?

David avatar

by “backend terragrunt.hcl file” are you referring to the parent config file that the other child modules include?

Mr.Devops avatar
Mr.Devops

yes the parent which the child module has when using

include {
  path = find_in_parent_folders()
}
David avatar

hmm, I’m not sure on the best practice here. I use a monorepo for all my config, so I have the parent files at the root of the git repo. I would think that there would be some implications with Atlantis if you put the config file in a separate repo, which might complicate things

Mr.Devops avatar
Mr.Devops

i see - at first i was too also using monorepo which works great, but i figured “what if” i try it this way….

Mr.Devops avatar
Mr.Devops

i wonder if folks out there may have come across the path i’m looking towards here too

Mr.Devops avatar
Mr.Devops

thx again @David and happy Monday!

2020-12-11

2020-12-14

2020-12-15

NVMeÐÐi avatar
NVMeÐÐi

anyone have example code of best standards for handling route53 with terragrunt?

2020-12-16

David avatar

Interested in knowing how others are doing testing changes locally before pushing to a remote, in particular ones that support plan-all/apply-all commands

David avatar

currently I use --terragrunt-source with a path directly to the module which I would like to apply local changes to

David avatar

this doesn’t work well for a plan all scenario, terragrunt will complain that it isn’t able to find modules for the other terragrunt modules

David avatar

--terragrunt-source ~/dev/work/forks/example-infrastructure-modules//example-service for example

David avatar

I have tried just passing the path to the module folder but ran into errors

Mr.Devops avatar
Mr.Devops

has anyone run into this issue when running terragrunt plan

Failed to get existing workspaces: S3 bucket does not exist
Mr.Devops avatar
Mr.Devops

running terragrunt plan does create the bucket for me but yet it’s stating it cannot find an existing bucket. The only way to get around this is if i wack out the .terragrunt-cache dir

2020-12-23

tim.davis.instinct avatar
tim.davis.instinct

Hey all, just wanted to make sure it was put here for anyone who didn’t see it on the Office-Hours this past week. Remote-Run support for Terragrunt is now available in env0!: https://www.env0.com/blog/terragrunt-release

Time to DRY those IaC configurations with env0 and Terragrunt! | env0 blogattachment image

Hello, env0 and Terragrunt fans alike! It’s new-feature-day, yet again! But this time, we have something really special for you. We’re giving you the ability to completely change the game on the Infrastructure as Code files that you use to deploy and manage environments with our platform! Introducing remote-run support for Terragrunt workflows, now available in env0!

party_parrot2
    keyboard_arrow_up